https://bugs.openldap.org/show_bug.cgi?id=9433
Issue ID: 9433
Summary: ldapsearch -Z fails to continue when StartTLS fails
Product: OpenLDAP
Version: 2.4.56
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: client tools
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 783
--> https://bugs.openldap.org/attachment.cgi?id=783&action=edit
ldapsearch debug log
When -Z is passed to an OpenLDAP utility, it will try to establish a TLS
connection with StartTLS, and in case it fails to do so it should continue
without the TLS layer.
OpenLDAP version:
openldap-2.4.56-4.fc34.x86_64 (but it also doesn't work on older versions too)
How reproducible:
Always
Steps to Reproduce:
1. Run `ldapsearch ...' against a server and see successful operation result.
2. Run `ldapsearch -Z ...' against a server whose certificate is not trusted
(e.g. a hostname mismatch) and observe it fails to connect as in point 1.
Actual results:
~~~
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate
# and it hangs there
~~~
Expected results:
The line
~~~
ldap_result: Can't contact LDAP server (-1)
~~~
is not present and the utility successfully continues with plain LDAP protocol
as expected.
Additional info:
I'm attaching a full debug log (-d -1) to this bug.
--
You are receiving this mail because:
You are on the CC list for the issue.
